[Snort-users] Proffesional Opinions ---wanted
mkettler at ...4108...
Wed Sep 4 14:47:08 EDT 2002
My personal opinion, and one I've repeated often on the list, is that the
greatest danger in flexresp is that it might lead you to believe it is
useful in "managing attacks".
An attacker that knows you are using flexresp can actively bypass it by
advancing the sequence number. And if someone is actually attacking your
network by hand, they will know you're using some kind of flexresp like
system pretty quickly. Sure they won't be able to get past it every time,
but they can and will be able to get past it some of the time, certainly
often enough to succeed if you were counting in flexresp to stop some
kiddie from r00ting your box.
Flexresp is a neat little tool, and it's useful for non-security
situations, ie: if you're using snort as a bizarre pr0n filter, or as a
absolute last ditch effort, but NEVER treat flexresp as a sure thing. I
think it also has some place in attempting to defend against theoretical
attacks if a signature is generated before a patch to the server code in
question can be made.
Flexresp is not a replacement for a well-patched server and properly
configured firewall, but as long as you aren't counting on it to provide
security it has some uses.
At 04:20 PM 9/4/2002 -0700, Tim wrote:
>Just wanted to get some opinions from people with experience with
>FLEXRESP. I have been toiling with the idea of jumping in and configuring
>snort with this option in order to manage some of the attacks.
>I did re-compile snort with the flexresp option this time, ( curiosity got
>the better of me ). I made sure to install libnet before I did so. Which
>went fine...no errors. But I'm not sure if after running ./configure
>--enable-flexresp if I was supposed to run make and make install again.
>Any comments or insights to the installation process?
>What do you all think....is flexresp worth the effort? What are the pros
>and cons to this little utility? Your opinions are appreciated....TIA
More information about the Snort-users